CVE-2022-37186

EUVD-2022-39839
In LemonLDAP::NG before 2.0.15. some sessions are not deleted when they are supposed to be deleted according to the timeoutActivity setting. This can occur when there are at least two servers, and a session is manually removed before the time at which it would have been removed automatically.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.9 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
CISA-ADPADP
5.9 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 46%
Affected Products (NVD)
VendorProductVersion
lemonldap-nglemonldap\
𝑥
< 2.0.15
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
lemonldap-ng
bookworm
2.16.1+ds-deb12u2
fixed
bullseye
2.0.11+ds-4+deb11u5
fixed
sid
2.20.0+ds-2
fixed
trixie
2.20.0+ds-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
lemonldap-ng
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
kinetic
ignored
lunar
ignored
mantic
not-affected
noble
not-affected
trusty
ignored
xenial
needs-triage
Common Weakness Enumeration
References
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/59c781b393947663ad3bf26bad0581413dd6fae4
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2758
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/releases/v2.0.15
https://lists.debian.org/debian-lts-announce/2023/01/msg00027.html
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/59c781b393947663ad3bf26bad0581413dd6fae4
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2758
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/releases/v2.0.15
https://lists.debian.org/debian-lts-announce/2023/01/msg00027.html